If you are like me (and for your sake I hope you are not) navigating through the abstruse marketing manure often leaves one dizzied and confused. As more business people are becoming enamoured with cloud services, evaluating the information security posture of a potential cloud provider is essential, but can often seem like an exercise in futility. If you are going to trust a third party you need to hold their feet to the proverbial fire by undertaking proper due diligence. Before deciding to engage with a cloud provider, ask them to answer (truthfully) this security questionnaire to gauge their information security maturity.

Does the organization have formal written information security policies?

This is an indication of their information security program maturity (or lack thereof). Companies that have not formalized their security policies should not be trusted with your sensitive corporate/customer data. Policies form the framework and foundation and without security is merely an afterthought.

Are external third-party contracts required to comply with policies and customer agreements?

Similar to the concept of subcontracting, if you entrust a cloud vendor with your information and they in-turn use another provider (to store your information for example) does the initial vendor ensure that their partners comply with the policies and security agreements that were laid out in your contract? If not, these partners weaken the overall security of the information chain.

Does the organization have a formal change control process?

Companies that implement changes and configuration in an ad-hoc manner are more likely to experience significant downtime in their environment. The leading cause of network outages can be attributed to poor planning and lack of change control. If the data you are sending to the cloud is time sensitive, you want to go with a provider that abides by a formal change control process, thus managing the inherent risk in unplanned changes.

Often overlooked, physical security is equally important as technical/logical controls. If someone can physically access your data, then all security bets are off. Ask your vendor about how they control physical access to their server rooms and what procedures they have in-place.

Do they follow secure data destruction processes for confidential data and IT equipment/media?

If you are storing confidential/sensitive data in the cloud and if the vendor does not properly destroy data from decommissioned equipment, the data is needlessly put at risk. Ask your vendor about their data destruction process.

Do they implement controls to segregate your data from other customers?

The multi-tenant paradigm of cloud computing introduces a significant avenue of attack. For instance, if a multi-tenant cloud service database is not properly secured, a flaw in one client application could allow an attacker access to other tenant's data. Additionally, check that the vendor is not using system-wide administrator accounts with "God" access to their entire cloud environment. Usage of such accounts should be minimal and should be monitored.

Does the organization encrypt (and regularly test) its backups?

An untested backup is a useless backup. An unencrypted backup defeats the security controls in the production environment. Information needs to be protected across its entire lifecycle.

Does the organization have regularly tested disaster recovery plans for data processing facilities?
If the data your company is sending to the cloud is time-sensitive, check with the vendor to see if they regularly test their disaster recovery plans. Well defined plans will minimize the length and impact of the disaster.
Can they provide results of a third-party external audit conducted within the past two years?
Generally, companies that undergo an external audit have foundational security framework in place and an acceptable baseline of security can be expected. A less then scrupulous vendor may claim to have undergone extensive auditing while actually an auditor hadn't come within 10 square miles of their business. Ask a prospective cloud vendor to provide results of their last external audit. A transparent company will have no qualms in granting you those results. If they refuse, chances are they do not want you to know their shady auditing truth.
Will they provide relevant certificates of applicable compliance certifications?

Vendors will often claim to be compliant with a whole gamut of certifications — ITIL, COBIT, ISO 2700, and the list goes on. Ask the vendors to provide proof about such claims. If they balk, chances are they are hiding something.

The cloud can be as secure as you make it. It is up to each and every cloud user to hold their cloud providers to an expected standard of security. The vendor's underlying cloud environment is likely more secure than your local data centre, but without asking the probing security questions you'll never know. What questions do you ask prospective cloud vendors? How do you assess the information security of a cloud service provider? Include your thoughts in the comments section or contact me @domvogel.

About Dominic Vogel

Dominic Vogel is currently a security analyst for a financial institution in beautiful Vancouver, British Columbia.